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1 Introduction to quantum cryptography 

OS | Quantum cryptography is a method for providing two parties who want to communicate 

securely with a secret key to be used in established protocols of classical cryptography. For 
more reviews of this topic see M, ^ Bennett and Brassard showed that it is possible, 



at least ideally, to create a secret key, shared by sender and receiver, without both parties 
sharing any secret beforehand. We refer to this protocol as the BB84 protocol. || To 
q-( achieve this goal, sender and receiver are linked by two channels. The first channel is 

a public channel. The information distributed on it is available to both parties and to 
a potential eavesdropper. To demonstrate the principle of quantum cryptography we 
assume that the signals on this channel can not be changed by third parties. The second 
channel is a channel with strong quantum features. An eavesdropper can interact with the 
signal in an effort to extract information about the signals. The signal states are chosen 
in such a way that there is always, on average, a back reaction onto the signal states. We 
assume the quantum channel to be noiseless and perfect so that the back reaction of the 
eavesdropper's activity manifests itself as an induced error rate in the signal transmission. 

The BB84 protocol uses the polarisation states of single photons as signal states. The 
signal states are, for example, linear vertical or horizontal polarised photons or right or 
left circular polarised photons. The sender sends a sequence of single photons with a 
polarisation chosen randomly from the four given ones. The receiver uses randomly one 
out of two given polarisation analysers for each signal photon. One of the analysers distin- 
guishes between the two linear polarisations, the other between the circular polarisations. 
Therefore the sequence of signals contains two types of transmissions. In the first type the 
photon is prepared in a polarisation state which the polarisation analyser, chosen by the 
receiver, is able to distinguish unambiguously. An example is that a horizontal polarised 
photon is sent and the receiver chooses to use the linear polarisation analyser. Signals 
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of this type will be refered to as deterministic signals since, the outcome of the polarisa- 
tion measurement is fully determined by the state of the signal photon. The remaining 
signals are non-deterministic signals. An example for this is a horizontal linear polarised 
photon which triggers with equal probability the outcome "right circular" and "left circu- 
lar" in the polarisation analyser distinguishing in the circular polarisation basis. Sender 
and receiver can distinguish between deterministic and non-deterministic signals using 
the public channel without giving away any information about the specific signal. They 
just compare the polarisation basis of the signal and the measuring polarisation analyser, 
both of which can be "linear" or "circular". The signal sequence of the deterministic 
bits can then be transformed into a binary key by assigning "0" for linear horizontal or 
right circular polarised photons and "1" for the remaining linear vertical or left circular 
polarised photons. 

In this idealisation the security of quantum cryptography is given by the fact that the 
four polarisation states are not four orthogonal states and so there exists no quantum non- 
demolition measurement which could distinguish between them. Even more importantly, 
each attempt to distinguish between any of the states will change, in average, the states 
of the signals. This state-change destroys the perfect correlation between the signal and 
the measurement outcomes for the deterministic signals. A test checking this correlation 
will reveal any attempt at eavesdropping. If the test shows that the correlation is still 
perfect then sender and receiver can be sure that there was no eavesdropping attack and 
their shared binary key is perfectly secret. 

In the practical realisation of quantum cryptography we face two specific problems. 
The public channel needs to be implemented in such a way that sender and receiver can 
ensure that the messages being received are really coming from each other. This is the 
problem of authentication for which various techniques are in use. In general, however, 
there will be the need for the two parties to share a limited amount of secret knowledge, 
for example in form of a secret key, before the authentication can take place. Quantum 
cryptography then generates a large secret key from a small secret key. 

The work presented here deals with the second problem arising from the fact that all 
realistic quantum channels are noisy. Therefore the correlation between the signals and 
the measurement outcomes for the deterministic signals will not be perfect. Noise has the 
same effect on the signals as the activity of an eavesdropper. It is therefore necessary to 
think of all state change of the signals to be due to eavesdropping activity. It is intuitively 
clear that an eavesdropper can only have gained a small amount of information on the key 
if the correlation tested by sender and receiver are still strong, that is, if there are only a 
few transmission errors for the deterministic signals. One can hope to give a bound on the 
eavesdropper's Shannon information as a function of the error rate in the deterministic 
signals. Such bounds have been obtained assuming that the eavesdropper is restricted to 
von Neumann measurements only [[J or to a restricted class of more general measurements 
|J. Here we present a sharp bound |7], [8] on the Shannon information of an eavesdropper 
which is valid for all eavesdropping attacks which access each signal photon independently 
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of each other. It therefore does not include coherent attacks in which the product state 
of all signal photons is attacked. The sharp bound does not take into account that an 
eavesdropper can make use of the later acquired knowledge about the polarisation basis 
of the signal photons to change the measurement of the signal. However, we are able to 
give a rough upper bound for this situation. The reason that this is possible is that the 
eavesdropper has to decide how to interact with the signal states before he acquires the 
additional knowledge about the polarisation basis. 



2 Generalised measurements 

The key input to derive the bounds given in this paper is the most general description of a 
measurement on a given system. Any measurement can be described by a set of operators 
Ai defined on the Hilbert space Ti of the system the measurement is performed on. The 
only restriction on the operators is that 

E Mi = tn ■ (1) 

leK 

where K is some finite or countable infinite index set. The link between these operators 
and a measurement is given by the following formulas which describe the probabilities 
that a particular outcome of a measurement is triggered, and which give the final state 
of the measured system after that outcome was registered. For the sake of simplicity we 
assume the set of outcomes to be discrete. The probability that the outcome k is triggered 
by an input state with density matrix p is given by 

= [pE 44) (2) 

\ l£Kk J 

where the K k are disjunct subsets of K with K = \J k K k . The final density matrix p^ of 
the selected states belonging to this outcome is given by 

~(k) = E;gx fc ApA} 

" Tr w (pE^ fc 4V) ' 

The density matrix of the final state, which does not select any states, but describes the 
whole ensemble for all outcomes is given by 

P = E^p (fc) = E^p4- (4) 

k leK 

It is important to choose the correct Hilbert space H to describe the measurement. To 
describe a spin measurement of an electron and the back reaction onto that spin we will 



3 



choose H, to be the Hilbert space of the spin of electron. If we are interested in the position 
or momentum of the electron as well we have to add the Hilbert space of spatial modes. It 
is a bit less obvious in quantum optics. If H is the one-photon polarisation Hilbert space 
then we implicitly assume that precisely one photon remains after the measurement. An 
eavesdropper may absorb the photon and so the final state is the vacuum. Therefore the 
adequate Hilbert space is the full Hilbert space of a light mode plus the polarisation degree 
of freedom. It turns out that we can derive the bounds presented here by restricting the 
Hilbert space to that of a single photon and later generalise it to the full Hilbert space. 

3 Estimate of the Shannon information 

The relevant expression for the Shannon information per signal is given with the help of 
the function h(x) = — xlogx, where log refers to basis 2, as 



An eavesdropper gains this Shannon information on the binary key whose signals are given 
by \& = 0, 1 when he learns, from communication on the public channel, the polarisation 
basis a = o, + (linear or circular) used for each signal, and registers the outcome k on 
the measurement apparatus triggered by each signal. The probabilities that a "0" or a 
"1" is sent are denoted by p($), the probability that outcome k is triggered by a photon 
prepared as basis state of the linear or circular polarisation basis is written as p{k a ), and 
the joint probability distribution for both events is p(^, k a ). 

We would like to give an upper bound on this Shannon information as a function of the 
measured disturbance of the quantum channel given as the error rate in the deterministic 
signals. This error rate is basically the fidelity measure of the channel, given by 



The definition of assumes here the use of the one photon polarisation Hilbert space. 
The expression Tr-^ (piPi) is the overlap between the input state p«, which is one of the 
four signal states, and the final state pi of the eavesdropper's measurement performed on 
this input state pi. This can be interpreted as the probability that the final state is still 
recognised as the initial state in apparatus of the receiver. Then Dm is the error rate 
averaged over the four signal states. 

It can be shown [|J that the optimal eavesdropping strategy can be given by operators 
Ak which can be described by real matrices in a representation for which the signal states 
are real density matrices. Each operator A^, which can always be expressed in the form 



/ = £ h un + E h HK)} - E h \p{% Ml ■ 



(5) 




1 4 

Dm = 1 - - E Tr w (piPi) ■ 



(6) 




(7) 
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with real, positive numbers a& and bk, (bk > CLk), projection operators Pk and orthogonal 
operators Ok- The optimal strategy satisfies the symmetry that for each such operator 
the set of operators A k contains as well the operator 



A k = ^fa~kOk + (Vbk - \fak) O k P 



(8) 



which employs the orthogonal complement P = In — Pk- The optimal eavesdropping 
strategy associates a measurement outcome with each of the operators Ak separately so 
that we do not need to employ any partitions K^ k \ For such an eavesdropping strategy 
the measured disturbance Dm is given by 



D 



fid 



E 



+- 



jTr H (piEi) - ^ (j\fakb~kTrH (O k piO k E, t 



keK 



(Tr n (O k PkP l PkO k r E t ) +Tr n (O k P kPi P k O'%E i )) 



Here Ei is the projection operator describing the effect of the polarisation analyser. For 
the one photon space we have Ei = p^. The Shannon information is given by the expression 



1 — l^k 2 



1 - log(l + rf k ) + 

(vl + Ck~ vlck) log(r]l + c k - rfkCk) 



+ (1 - c k + rf k Ck) log(l - c fc + rf k c k ) 



(9) 



V 2 k d k 



+ (1 - d k + rjldk) log(l - d k + vldk) 



In this expression we used the definitions of the overlaps Ck = Tr^ (piPk) and dk = 
Tr n (pzPk) and of the characteristic parameters r] k = with i] G [0, 1]. For r] k = 1 
an operator Ak takes the characteristics of the identity operator, which corresponds to 
non-interference of the eavesdropper, and for 7]k = the eavesdropping strategy tends to 
a von Neumann projection measurement. The overlaps are restricted by the inequality 



(dk - \f + (c k ~\f<\ 



(10) 



We can find the optimal choice of orthogonal operators Ok and Pk- The optimal choices 
are given in a later section. As a result we find now for the disturbance the inequality 



n . «fe + h 1 (1 - T]kY 
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Note that the condition ([I]) implies that 

£^P = 1 (12) 



a k + b k 



so that the expressions ak + bk have the property of a probability. The Shannon information 
can be estimated by 

/<E^^K 1-log(1 + ^ ) + ^! log%2 ) ' (13) 

It can be shown that the optimal choice of the characteristic parameters rj k is for them 
to take the same value fj. The proof uses variation methods. Then we find the inequalities 
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/ < - l-log(l+7? 2 ) + -^— logr? 2 . (15) 



2 V ' '' ' ' 1 + fj 2 , 

If we actually measure the average error rate Dm and find the value D m we can bound 
the value of fj by 

{ l-2v / 2 v /(l~2D m )g m ! 
D m ^ ^ 

which leads to the bound of the eavesdropper's Shannon information |7], || as 

^ < ^(l - log(l + rf) + logf) . (17) 

It can be shown that this bound can be further estimated by the linear bound 

1 £ i^™ (18) 

where In 2 is the natural logarithm of 2. For small D m this bound is nearly as good as 
the bound (|i"7|) which will later be shown to be sharp. The sharp bound and the linear 
approximation are plotted in figure as a function of the measured fidelity disturbance. 
Typical values for experimental realisations using the BB84 protocol achieve an error rate 
of 4 % for 30 km or 1.5 % for 10 km distance between sender and receiver. 



4 Privacy amplification 

For the purpose of secret communication the amount of Shannon information possibly 
leaked to an eavesdropper according to the previous estimate is far to high. However, 
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Figure 1: The bound on the Shannon information in the sharp (continuous 
line) and the linear bound (dashed line) as a function of the measured distur- 
bance D m . 



making use of the technique of privacy amplification |J it is possible to reduce Eve's 
total amount of Shannon information on the remaining key. For that the key has to be 
shortened using hash functions. The characteristic quantity for the fraction by which the 
key has to be shortened is the parameter T\. If we shorten the key by the fraction n 
then the eavesdropper is left at most with a Shannon information of 1 bit on the whole 
key. Each bit by which the key is is shortened additionally decreases this remaining 
Shannon information exponentially. The parameter t\ can be expressed with the help of 
the collision probability (p c (y)) y as 

n = l + log(p c (y))f . (19) 

The collision probability (p c (y)) y = J2 x p{ x \y) 2 refers to the probability distribution p(x\y) 
over all possible signal string x, conditioned on the event that the eavesdropper measured 
a particular string of measurement results y. 

Before they can apply the technique of privacy amplification, the sender and the 
receiver have to perform some type of error correction on their shared key. We assume that 
this process can be done without the eavesdropper gaining any additional knowledge and 
without the creation of any correlations between the signals. A possible realisation would 
be to use block parity comparison where the compared parity bit is encoded using some 
short shared secret key from the same source which gives the key used in the authentication 
of the public channel. In this case the collision probability is given by 

(p c (y))"=E v (c )(k) > ( 2 °) 

where the probabilities p^ (-0, k a ) and p^ c ' (k a ) now refer to the corrected key, and it 
takes only those signal transmissions which were correctly received into account. The 
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joint probability distribution (-0, k a ) is given, with a normalisation constant C, by 

P (c) M = ^Tr w • (21) 

It is again possible to show general properties of the A k which lead to an optimal 
information gain by the eavesdropper, along with minimal disturbance of the signal trans- 
mission. The optimal A k can be shown to be real (in the real representation of the signal 
states) and to consist of symmetric or anti-symmetric matrices. The symmetric matrices 
can have eigenvalues of different or of the same sign so that they can be written as 

i(±) 



Af> = ^r k t H - [ya~ k ± v^j Pk (22) 

with the a k and b k satisfying, as before, b k > a k > and P k is a projection operator. To 
each such operator the set of operators A k contains an operator 

[(±) 



AT' = Va~ k t n ~ [V^~k ± y/hj P k (23) 

using the orthonormal complement P k = 1^ — P k . I refrain from giving to give the 
expressions for the collision probability and the disturbance in the general form and 
give instead the forms optimised with respect to the choice of projection operators P k . At 
this stage they are given with the help of the characteristic parameter r\ k which satisfies 
rjl = |k and takes values in the range rj k G [—1,1] which is in contrast to the calculations 
leading to the bound on the Shannon information. The disturbance satisfies the inequality 

n at + h 1 (r/ fc - l) 2 a k + b k l 

Aid= ^ -^—4 r7 2 + 1 + 2. -^—4- ^ 

where is the index set of the symmetric operators and the index set of the 

anti-symmetric operators. The collision probability is bound by 

a k + b k l 1 17 + 12 Vk + 6rj + I2rf k + 17?^ 
Pc {y) / ~ a k + b k 3 + 2^ + 34 ■ {2b) 

We use again a variation method to show that the optimal eavesdropping strategy 
employs characteristic parameters r] k with the same value fj. Also it is clear that it is of 
disadvantage to the eavesdropper to use anti-symmetric operators A k . This leads to the 
estimates 

^ ketc 'I ^ 1 
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< iH±i^±jg±i|g^V , (27) 



and 

2 (3 + 2?) + 3rj 2 

The measured disturbance D m leads to a bound on fj given by 

! l-2 v / 2 v /(l-2D m )g m ! 
T^DZ Um ~ 2 . (28) 

1 — 2 

This finally allows us to bound the parameter n (|19|) by the inequality || 

! ln _ ( 17+127?+6r? 2 +12?7 3 +17r? 4 \ n < I 

10g ^ (3+25J+35?)* J m " 3 (29) 

1 | < An < 1 

This bound is shown in figure |j. Typical error rates in the BT experiment are e £ 
[0.01,0.05] which corresponds to n £ [0.05,0.26]. 
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Figure 2: The 'parameter t\ as a function of the error rate. The error rate e 
is equal to the disturbance measure Dm- 



5 Validity of the bounds 

The derivation of the bounds presented above assumes that the eavesdropper interacts 
with the signal photons but does not absorb them. In the experimental realisation, how- 
ever, an absorption of about 90 % is observed. The validity of the bounds can be extended 
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to accommodate the possibility of absorption by re-defining the average error rate as refer- 
ing only to those signals where the polarisation analyser successfully measured a signal. 
It can be shown that the eavesdropper cannot increase the trade-off between information 
and induced error rate by forwarding signal states to the receiver which contain more 
than one photon. The basic tool for this extension of the validity of the bounds is that 
one can show that each eavesdropper strategy is equivalent to an eavesdropper strategy 
which results in final states which are Fock states of fixed photon number. 

6 Delayed measurements 

The description of a delayed measurement needed here is that the eavesdropper has effec- 
tively two eavesdropping strategies at hand: one for each signal set of linear or circular 
polarisation. They are given by the A-operators {A k } k&K and {£>/} /6L with two index 
sets K and L which are not necessarily of the same size. The strategies cannot be chosen 
independently of each other since they must be alternative descriptions of the quantum 
channel viewed as a non-selective measurement. This means that the equality 

J2A kP A{ = J2B lP Bj (30) 

k£K leL 

must hold for all density matrices p. An example of relations between the sets {A k } keK 
and {Bi} leL satisfying this equality is the choice B t = J2k c ikA k with J2k c iAn = <W 
One can give a crude estimate of the Shannon information and of the collision probability 
because the disturbance is independent of the overlaps c k and d k . To give the bounds let 
the eavesdropper choose the projection operators P k of the set of operators A k and B k 
independently. Quantum mechanics will put some restrictions on that relation so that 
the resulting bounds are no longer sharp. Thus the eavesdropper's Shannon information 
may increase by a factor 2. The collision probability is bounded by 

< (31) 

where fj is bounded by the measured disturbance D^a as given in fl28|). The resulting 
bound for the fraction T\ of bits to be discarded during privacy amplification is plotted in 
figure In this estimate we can prove security against eavesdropping as long as the error 
rate is less than 25 %. This result is likely to remain valid if we allow n-photon operations 
as in the previous chapter. Formal proof, however, should be postponed until a sharp 
bound for delayed choice eavesdropping strategies can be given. Clearer understanding of 
the restrictions imposed by ([30]) is essential for the derivation of the sharp bound. 

References 



10 



0.00 0.05 0.10 0.15 0.20 0.25 0.30 
error rate e 



Figure 3: The crude bound of the fraction T\ of bits to be discarded during 
privacy amplification allowing for delayed measurements (solid line). This is 
compared to the sharp bound for non-delayed measurements (dashed line). 
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